A cyberattack on a clinic or hospital is literally a matter of life or death. In 2020, healthcare systems worldwide were already cracking under the strain of the COVID-19 pandemic, and the actions of cybercriminals only added to the load. One of the most significant threats of the past year for medical institutions came from ransomware attacks — cyberattacks in which cybercriminals encrypt data or extort management with threats to publish stolen data.
The consequences of such attacks are manifold. In addition to the obvious and dangerous disruption to medical services, healthcare companies can face longer-term repercussions ranging from regulatory fines to claims from patients whose personal data was violated.
High-profile ransomware incidents
One of the most talked-about cases of the past year, and a sign of the extent of the problem, was the Ryuk ransomware attack on Universal Health Services (UHS) last September. The group operates 400 medical facilities in the United States, the United Kingdom, and other countries. Fortunately, not all hospitals and clinics suffered, but the attack did hit UHS facilities in several US states. The incident occurred early on a Sunday morning: Company computers failed to boot, and some employees received a ransom demand. The telephone network was also affected. The IT department had to ask staff to work the old-fashioned way, that is, without IT. Naturally, that caused major interference in the usual flow of the clinic, affecting patient care, lab tests, and more. Some facilities had to refer patients to other hospitals.
In its official statement, UHS said that there was “no evidence of unauthorized access, copying or misuse of any patient or employee data.” In March of this year, the company released a report stating that the attack had caused $67 million worth of damage, including data recovery costs, lost revenue due to downtime, reduced patient flow, and more.
Meanwhile, an incident at Ascend Clinical, which specializes in testing services for kidney disease, led to a data breach affecting more than 77,000 patients. The cause of the infection is known: An employee clicked a link in a phishing e-mail. Having penetrated the system, the attackers got their hands on, among other things, patients’ personal data — names, dates of birth, social security numbers.
An attack on Magellan Health in April 2020 compromised the personal data of both employees and patients (365,000 victims, according to media reports). The cybercriminals somehow managed, through social engineering, to impersonate a client, gain access to the internal network, use malware to intercept login credentials, and finally encrypt data on the server.
Generally speaking, when attacking healthcare facilities, cybercriminals prefer to encrypt and steal data from servers rather than workstations. The same thing happened with the servers of the Florida Orthopedic Institute, when attackers encrypted the (previously stolen) data of 640,000 patients. That resulted in a rather unpleasant class action lawsuit.
The above is just a sample of high-profile incidents from the news last year. In fact, we had dozens more to choose from.
How healthcare institutions can secure themselves
Malware can penetrate a system in a variety of ways: through e-mail attachments, phishing links, infected websites, and more. Attackers can steal remote-access credentials, coax them out through social engineering, or simply use brute force. The old medical adage that prevention is better than cure applies equally well to cybersecurity, and not least to protection against ransomware. Here are our preventive-care tips for all things cyber:
- Protect all devices — and not only computers. Company smartphones, tablets, terminals, information kiosks, medical equipment, and absolutely anything else with access to the corporate network and the Internet;
- Keep all devices up to date. Again, that’s not just computers. Cyberprotection for, say, a tomograph may not spring immediately to mind, but it too is essentially a computer with an operating system that might have vulnerabilities. Ideally, security should play a major role in the choice of equipment — at the very least, before buying, have the vendor confirm it releases updates for its software;
- Install security solutions to protect e-mail. Protecting electronic communications is vital; medical organizations receive a lot of e-mails, including spam, which can contain not only harmless trash, but also dangerous attachments;
- Train all employees — that means admins and doctors and anyone else who touches technology — in the basics of cybersecurity awareness. Ever more parts of medical care are going electronic, from the digitization of medical records to online video consultations. Cybersecurity awareness needs to be as routine as mask use during surgery.
- Many modern ransomware attacks are carried out in what we’d call a “manual” way. In other words, the cybercriminals behind modern ransomware attacks tend not to fire off malware scattershot, but rather to seek out ways to infect specific victims’ computers and servers, often using the art of social engineering. Sometimes, after infiltrating a network, they study the infrastructure at great length in search of the most valuable data. To detect such attacks, for which endpoint protection may not suffice, we recommend engaging a managed detection response service to monitor your infrastructure remotely.